[nginx] HTTP/2: fixed possible buffer overrun (ticket #893).

Thu Feb 4 15:03:53 UTC 2016

details:   http://hg.nginx.org/nginx/rev/11e019750adc
branches:  
changeset: 6377:11e019750adc
user:      Valentin Bartenev <vbart at nginx.com>
date:      Thu Feb 04 18:01:04 2016 +0300
description:
HTTP/2: fixed possible buffer overrun (ticket #893).

Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.

diffstat:

 src/http/v2/ngx_http_v2_filter_module.c |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (14 lines):

diff -r 0e0e2e522fa2 -r 11e019750adc src/http/v2/ngx_http_v2_filter_module.c

--- a/src/http/v2/ngx_http_v2_filter_module.c	Tue Feb 02 16:33:55 2016 +0300
+++ b/src/http/v2/ngx_http_v2_filter_module.c	Thu Feb 04 18:01:04 2016 +0300
@@ -215,8 +215,8 @@ ngx_http_v2_header_filter(ngx_http_reque
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
     if (r->headers_out.server == NULL) {
-        len += 1 + clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
-                                       : ngx_http_v2_literal_size("nginx");
+        len += 1 + (clcf->server_tokens ? ngx_http_v2_literal_size(NGINX_VER)
+                                        : ngx_http_v2_literal_size("nginx"));
     }
 
     if (r->headers_out.date == NULL) {

